Response from CCS to issues raised with RM3825

Please find attached our response to the points that you raised. I’d like to thank you for bringing these items to our attention and we are appreciative of the open working relationship we have that allows this productive interaction.

Hopefully we have answered the points you raised sufficiently, or where we were unclear, requested further clarification

Point 1

Visibility and acknowledgement of the amended terms agreed with one supplier on 15th December 2017.

Including the following points

A single master document suite in one place

All suppliers to be given review and comment

Advice to customers regarding the amended document suite

Response

For clarity, there is only one ‘official’ version of the Terms. Amendments were made to terms for the NHSD self-serve and SW AP (and issued with those RFPs). These amendments were initiated from feedback from suppliers and prompted a review by NHS Digital. During this review, some errors were identified and corrections were made, along with a re-evaluation of the service levels. These were fed back to CCS and are currently in the Contract Variation Process. The amended terms will be sent to suppliers for review, comment and agreement as part of this process. Once complete the updated Terms will be stored in two places. The supplier bid pack on the DPS portal and the RM3825 webpage.

CCS are currently producing an improved suite of guidance documentation and this will include advice and guidance on all subjects, including Terms and RFP packs.

Point 2

Serious review of the advisory pricing schedule and publication of new guidelines and template pricing schedule.

Response

We are not clear what you are referring to here. We assume is that it is the NHS Digital pricing model. Can you clarify what you mean by ‘serious review’ and if so what this would entail? Are you asking for another workshop where your group can suggest improvements, which can then be considered for incorporation, followed by the issue of an updated model and guidance? NHS Digital have already reviewed this pricing model following an initial supplier workshop and this may have resolved your issues. There is also a further supplier workshop on this on Wednesday 11 April in Leeds.

Point 3

Point not addressed in the amended terms is the Termination Assistance – this requirement needs to be reviewed and hopefully changed.

“Clause (b) is in our opinion too broad, and that “any activity” presents an unqualifiable and potential unlimited set of requirements. We suggest that Suppliers should be able to set out the assistance options they shall offer – either as part of a service’s definition or as options that Customers may procure separately.

This is particularly important because clause 41.5.1 now makes exit management a mandatory part of every service contracted via this vehicle.”

Response

We believe that this does not need amending and that it would not lead to extra, unpaid work. The term does allow suppliers to charge for any transition work that is outside of the terms of the original call off contract. If a supplier believes that any Transitional Assistance work put forward by the customer is not necessary to transition from the existing to replacement service within the scope of the Schedule, then it can make this clear to the customer and seek to apply charges to that activity.

Point 4

Service Levels – the incident fix formula does not add up. Needs to be amended.

The following formula relates to calculation of Incident Fix Time Achieved

Service Level achieved % = (TI-FI) x 100

TI

Where:

TI means the total number of Incidents raised by the Customer during the Service Period for the service instance; and

FI means the total number of Incidents raised by the Customer during the Service Period for the service instance that were not Fixed within the Incident Fix Time.

However this formula “rewards” greater number of incidents occurring that are fixed within time, if an incident has already failed to be fixed in time in that service period as opposed to an incident failing to be fixed in time and no other incidents occurring at all that period (For November Version: 1 failed fixed time and no other incidents is 0% achieved and full 15% service credit, 1 failed fixed time and 9 other incidents fixed within time is 90% achieved and no service penalty. I am sure customer would prefer situation 1 occurred and not situation 2, but calculation contradicts this behaviour)

Response

While we understand your reasoning, we do not believe that this requires amendment as it has been used on previous frameworks including RM1045 with no major issues.

Point 5

Clarity required around the Security levels required for compliance. Why was the CHECK qualification changed to CREST?

Response

As per Obligation SP05 all suppliers wishing to apply for, and then maintain, HSCN Compliance need to hold a valid IT Health Check (ITHC) which has been run according to the HSCN criteria which can be found in the Compliance Addendum document – Annex B.

The Obligation states:

The HSCN Supplier shall ensure an IT Health Check (ITHC) is conducted by an organisation delivering CHECK security testing services for the scope of service provided as per the government ITHC guidance (https://www.gov.uk/government/publications/it-health-check-ithc-supporting-guidance), incorporating the additional requirements within A.18.2.3 from Annex A of the Compliance Addendum and renewed prior to the anniversary of achievement of Stage 1 HSCN Compliance by the HSCN Supplier

The HSCN Compliance regime maintains a preference that the ITHC supplier should be CHECK scheme affiliated – the CHECK scheme is run by the National Cyber Security Centre (historically CESG).

The Gov.UK guidance that is linked to in both the Obligation and also the Compliance Addendum does state that CREST affiliated suppliers are also an option but, the HSCN preference is CHECK. The Obligation, and associated guidance materials., will be tightened up to this effect.

If you have a CREST ITHC currently or you are in the process of a CREST affiliated supplier running your ITHC now then do not worry as this will be accepted in the interim but we would ask that all future ITHCs are run by a CHECK supplier.

To be clear – the HSCN Compliance regime has never made the decision, or communicated, that CREST is a preference.

Point 6

Dropped requirement for VRF to internet, the Group would like clarity on this requirement.

Response

At one point NHS Digital were exploring a requirement to use a separate VRF to route internet traffic and apply this on the CPE. (In addition to the HSCN VRF). They withdrew the requirement for CNSPs to offer this capability due to the limitations on Broadband Technology.

DSL natively only supports a single VRF, to add additional VRFs to DSL services would add complexity and cost. In addition, this would also raise additional issues as to how the VRFs would be presented to the Consumer. It should be noted that N3 has operated a single VRF for the past 14yrs.